lokibot

General

Target

3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118
Size

249KB
Sample

240512-qnjnwabe52
MD5

3a53c78fe9cd7f38f85258a17b37fe6e
SHA1

76f035dcaffc9087a2a959d0419d8653f6b29b39
SHA256

fea3f30556e99bb327e2584018334b8b5ba8d74ae25710626b9d58cf0666e41c
SHA512

b14c483b7ca03d15cc0f430914a865463ab69e6b16cc783a69525e5ebaf3fc9c7451c6ee8473fe169c84fc6d05a5e1023b1c3590d9339abbc09dd1fb2999baf1
SSDEEP

3072:pYbZ4Hwie5tR7c6ZGU05sHbf4bQl4F8jU8NRFJUuj4Il/ZbEyGvp0welfONmQTiA:pY8ipnMi4Vu734ID6hKlWVi3iE/jQCnw

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://107.175.150.73/~giftioz/.hokbi/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  3a53c78fe9cd7f38f85258a17b37fe6e_JaffaCakes118
- Size
  
  249KB
- MD5
  
  3a53c78fe9cd7f38f85258a17b37fe6e
- SHA1
  
  76f035dcaffc9087a2a959d0419d8653f6b29b39
- SHA256
  
  fea3f30556e99bb327e2584018334b8b5ba8d74ae25710626b9d58cf0666e41c
- SHA512
  
  b14c483b7ca03d15cc0f430914a865463ab69e6b16cc783a69525e5ebaf3fc9c7451c6ee8473fe169c84fc6d05a5e1023b1c3590d9339abbc09dd1fb2999baf1
- SSDEEP
  
  3072:pYbZ4Hwie5tR7c6ZGU05sHbf4bQl4F8jU8NRFJUuj4Il/ZbEyGvp0welfONmQTiA:pY8ipnMi4Vu734ID6hKlWVi3iE/jQCnw
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  KtlVtDDtCbxIugvgm
- Size
  
  548KB
- MD5
  
  759df20fc9033fe2ce3af881567a0829
- SHA1
  
  d0fc50a7b88b54a573b5ffdfaba36c380da5f222
- SHA256
  
  dd52fa10a43e5082981ecf90523d3f308fbdffea66844148e96a547ad133c8e7
- SHA512
  
  60381d28369bbcb9f08396abd5cbcff336758e546223086d93e76b77c478cf200dfbed77e8120406fb589abb304e8fb466be7d0e06e579e9f4ec6fc67560fdc9
- SSDEEP
  
  3072:lNgCN7HUJSqCDKNEsVPctRNHByrsGCaAYciERk5R9XFd5K/PF5dxaaODKYXPgB4S:D
Score

3^/10

execution
behavioral3 behavioral4
- Target
  
  KtlVtDDtCbxIugvgma5.exe
- Size
  
  101KB
- MD5
  
  fa27c746271b2c2e1e73b86a0a77b914
- SHA1
  
  4808bce9aa26cc07389480724b460f25512bb568
- SHA256
  
  00d716359a25f1e2b3aed74c005d10fc93365bf34607eabb58cafbb6b294eaa1
- SHA512
  
  e06911497ae6708076bb87b2fe4413858344bd6de67f52df3d7447768b39b8d8be42063ba899cebea26c778e466ef66f8ce7076e53863a1c5d6b93cda5843209
- SSDEEP
  
  1536:6P2L6sdYjNKG3rSzOJ6JLiGUUsCvm9Fs315Y:dL6sAwG3rSzg6piGU0OFsH
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral5 behavioral6